The screened subnet firewall is a variation of the dual-homed gateway
and screened host firewalls.
It can be used to locate each component of the firewall on a separate
system, thereby achieving greater throughput and flexibility, although
at some cost to simplicity.
But, each component system of the firewall needs to
implement only a specific task, making the systems less complex to configure.

In figure , two routers are used to create an inner,
screened subnet.
This subnet (sometimes referred to in other literature as the ``DMZ'')
houses the application gateway, however it could also house information
servers, modem pools, and other systems that require carefully-controlled
access.
The router shown as the connection point to the Internet would route
traffic according to the following rules:

The outer router restricts Internet access to specific systems
on the screened subnet, and blocks all other traffic to the Internet
originating from systems that should not be originating connections
(such as the modem pool, the information server, and site systems).
The router would be used as well to block packets such
as NFS, NIS, or any other vulnerable protocols that do not need to pass to
or from hosts on the screened subnet.

The inner router passes traffic to and from systems on the screened subnet
according to the following rules:

application traffic from the application gateway to site
systems gets routed,

e-mail traffic from the e-mail server to site systems gets
routed,

application traffic to the application gateway from site systems
get routed,

e-mail traffic from site systems to the e-mail server gets routed,

ftp, gopher, etc., traffic from site systems to the information
server gets routed,

Thus, no site system is directly reachable from the Internet and vice
versa, as with the dual-homed gateway firewall.
A big difference, though, is that the routers are used to direct traffic
to specific systems, thereby eliminating the need for the application
gateway to be dual-homed.
Greater throughput can be achieved, then, if a router is used as the
gateway to the protected subnet.
Consequently, the screened subnet firewall may be more appropriate for
sites with large amounts of traffic or sites that need very high-speed
traffic.

The two routers provide redundancy in that an attacker would have to subvert
both routers to reach site systems directly.
The application gateway, e-mail server, and information server could
be set up such that they would be the only systems ``known'' from the
Internet; no other system name need be known or used in a DNS database
that would be accessible to outside systems.
The application gateway can house advanced authentication software
to authenticate all inbound connections.
It is, obviously, more involved to configure, however the use of
separate systems for application gateways and packet filters keeps the
configuration more simple and manageable.

The screened subnet firewall, like the screened host firewall, can
be made more flexible by permitting certain ``trusted'' services
to pass between the Internet and the site systems.
However, this flexibility may open the door to exceptions to the
policy, thus weakening the effect of the firewall.
In many ways, the dual-homed gateway firewall is more desireable because
the policy cannot be weakened (because the dual-homed gateway cannot
pass services for which there is no proxy).
However, where throughput and flexibility are important, the screened
subnet firewall may be more preferable.

As an alternative to passing services directly between the Internet
and site systems, one could locate the systems
that need these services directly on the screened subnet.
For example, a site that does not permit X Windows or NFS traffic between
Internet and site systems, but needs to anyway, could locate the systems
that need the access on the screened subnet.
The systems could still maintain access to site systems by connecting to
the application gateway and reconfiguring the inner router as necessary.
This is not a perfect solution, but an option for sites that require a high
degree of security.

There are two disadvantages to the screened subnet firewall.
First, the firewall can be made to pass ``trusted'' services
around the application gateway(s), thereby subverting the policy.
This is true also with the screened host firewall, however the screened
subnet firewall provides
a location to house systems that need direct access to those services.
With the screened host firewall, the ``trusted'' services that get passed
around the application gateway end up being in contact with site systems.
The second disadvantage is that more emphasis is placed on the routers
for providing security.
As noted, packet filtering routers are sometimes quite complex to
configure and mistakes could open the entire site to security holes.